Re: [ANN] Version 3.0.0-rc1
Hi, We are in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release (as it was with release_3_0_0_rc0). If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behavior changes you notice. To provide a single point to test against, the release_3_0_0_rc1 tag has been created. When trying to make install with the custom way of avoiding raddb as suggested on the list earlier (i.e. mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install I now encounter a Makefile error: radius-int-1-new:~/freeradius-server-release_3_0_0_rc1 # make install make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. As you see, I'm not inside /usr/local/freeradius at all ... I'm in /root/freeradius-server-release_3_0_0_rc1/. The raddb folder is empty except the 0-byte all.mk. Why would it think it needs to do something for /usr/local/freeradius/config/raddb/mods-config/perl ? This is an otherwise fresh rc1. The directory above is the place where the config resides in; but it should leave that one alone, right? configure runs with the following options: ./configure --prefix=/usr/local/freeradius/3.0.0-tagged-rc1 \ --with-raddbdir=/usr/local/freeradius/config/raddb \ --with-openssl \ --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include \ --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib (and that's the reason it knows about /usr/local/freeradius/config/raddb at all) I believe that way to make make install ignore raddb used to work with rc0 and numerous GIT snapshots. Greetings, Stefan Winter Behaviour changes since release_3_0_0_rc0: * Fixed many more compiler warnings. * LDAP schemas to load dynamic clients from LDAP * the control socket is now marked stable * Added RFC 6929 dictionary, along with a few others * Clean up proxy ID allocation / re-allocation * pairbasicfree() has been replaced by talloc_free() * Added %{debug_attr:LIST} to print out at attributes in LIST * The PAP module can now configurably *not* normalize passwords * Remove support for %{#}, and add %{strlen:} expansion Bug fixes: * Corrected more documentation to match the new behavior and config * Corrected many minor typos and spelling mistakes in documentation and config files * If the installation directory exists, don't re-install files * add crlDistributionPoints to certificates for Windows phones. * Use documentation IP addresses everywhere (192.0.2/24) * Build fixes for clang related to the -rdynamic flag * Allow update sections to update outer.reply * Re-write module handler to work, the code is significantly cleaner, and priority overrides work correctly in all cases, #404, #424 * CUI SQL fixes, #412 * Don't die in RB tree re-allocation of proxy ID * Do a second pass over pre-compiled conditions, #421, #423 * Add delete order to rbtree, #416 Also used by the proxy ID re-allocation code * Fixed TCP socket close handlers to be simpler and more robust * Allow ${..} expansion in `strings` * moved EAP destructors to talloc, which wasn't done in -rc0 * Fix LDAP group comparisons, and other pair comparisons * NULL terminate strings copied between VALUE_PAIRs correctly * Fix !* when used with non-string attributes * Fix `` exec in update sections * Load libpython within rlm_python to ensure all required symbols are available * Don't SEGV printing IPv6 Interface ID * Don't SEGV evaluating dates in rlm_expiration * Fix ./configure --with-shared-libs=no * Fix crashes related to opaque request data and regular expressions * Fix heimdal krb5 build The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc1.tar.gz Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On 9 Sep 2013, at 08:44, Stefan Winter stefan.win...@restena.lu wrote: Hi, We are in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release (as it was with release_3_0_0_rc0). If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behavior changes you notice. To provide a single point to test against, the release_3_0_0_rc1 tag has been created. When trying to make install with the custom way of avoiding raddb as suggested on the list earlier (i.e. mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install I now encounter a Makefile error: radius-int-1-new:~/freeradius-server-release_3_0_0_rc1 # make install make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. Right, but this is installation so your targets will be inside the installation directory. It's missing the target to create the mods-config directory which is usually in raddb/all.mk, which in this case has been removed. As you see, I'm not inside /usr/local/freeradius at all ... I'm in /root/freeradius-server-release_3_0_0_rc1/. The raddb folder is empty except the 0-byte all.mk. Why would it think it needs to do something for /usr/local/freeradius/config/raddb/mods-config/perl ? Because that all.mk file for the rlm_perl module installs example perl scripts in mod-config, the same with rlm_python and rlm_ruby. This is an otherwise fresh rc1. The directory above is the place where the config resides in; but it should leave that one alone, right? configure runs with the following options: ./configure --prefix=/usr/local/freeradius/3.0.0-tagged-rc1 \ --with-raddbdir=/usr/local/freeradius/config/raddb \ --with-openssl \ --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include \ --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib (and that's the reason it knows about /usr/local/freeradius/config/raddb at all) I believe that way to make make install ignore raddb used to work with rc0 and numerous GIT snapshots. I guess we'll have to come up with a proper fix. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. It was easy to tell it to back off earlier (even easier in v2 - just mv source/raddb/ out of the way), but now for some reason the old v3-style mechanism doesn't work any more. I guess I could create the mods-config/ dir in my production config dir and it would make the symptom go away. I still found it worth reporting that some messing-around with the config dir is going on/attempted even when the source dir is told not to do that. I think I udnerstand from the earlier post that the make install target of rlm_perl wants to do something in raddb/mods-config/ on its own; and bails out when it can't. It's not nice if one module makes assumptions about a part of the directory structure it doesn't control. Nothing stops me from deploying a raddb with the configs lying in raddb/modules-configuration-information/ and it would be very undue if the stock build process bails out on failure then during a subsequent installation. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, Because that all.mk file for the rlm_perl module installs example perl scripts in mod-config, the same with rlm_python and rlm_ruby. I guess we'll have to come up with a proper fix. Does the file need to be created by the rlm's make install? The example scripts could be put into source/raddb/mods-config, and installed from raddb's own part of make install. That way, if I move raddb out of the way, nothing bad will happen; both the current content of raddb and all the script examples will be ignored. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On 09/09/13 14:04, Stefan Winter wrote: Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. I would tend to agree. Really, anything that touches raddb should only run if the top-level raddb directory doesn't exist or is completely empty. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Stefan Winter wrote: The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. Honestly, the simplest might be to edit Make.inc, at the top where it defines raddbdir and modconfdir: ifeq $(raddbdir) raddbdir= ${sysconfdir}/raddb modconfdir = ${sysconfdir}/raddb/mods-config endif Then, do: $ ./configure ... $ make $ make -Draddbdir=/tmp/garbage install All of the raddbdir stuff will get installed to the /tmp/garbage directory. The binaries will be built with the correct paths, and installed in the correct locations. It was easy to tell it to back off earlier (even easier in v2 - just mv source/raddb/ out of the way), but now for some reason the old v3-style mechanism doesn't work any more. Well... the build system has changed *completely*. I guess I could create the mods-config/ dir in my production config dir and it would make the symptom go away. I still found it worth reporting that some messing-around with the config dir is going on/attempted even when the source dir is told not to do that. Because the rules for install to config dir are scattered through the source, and not all in raddb. So when you nuke raddb, you don't delete all of the rules. It's not nice if one module makes assumptions about a part of the directory structure it doesn't control. Nothing stops me from deploying a raddb with the configs lying in raddb/modules-configuration-information/ and it would be very undue if the stock build process bails out on failure then during a subsequent installation. Well... if you want to create a non-standard configuration, it's up to you to do the work. The default install process assumes that the installation is... a default one. The customization is done via the paths at the top of the Make.inc file. If you want to change *internal* paths, then all bets are off. My only answer is Good luck! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On 9 Sep 2013, at 14:24, Alan DeKok al...@deployingradius.com wrote: Stefan Winter wrote: The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. There's also: #!/bin/sh make clean if ! git pull; then exit 1; fi hash=`git log -n 1 --pretty=format:%h` ./configure -C --prefix=/usr/local/freeradius-$hash --enable-developer make -j8 if ! sudo make install; then exit 1; fi sudo rm /usr/local/freeradius sudo ln -s /usr/local/freeradius-$hash /usr/local/freeradius # Bootstrap configuration directory if [ ! -d /usr/local/etc/raddb ]; then if [ ! -d /usr/local/etc ]; then sudo mkdir /usr/local/etc/ fi sudo cp -ra /usr/local/freeradius-$hash/etc/raddb /usr/local/etc/ fi sudo rm -rf /usr/local/freeradius/etc/raddb sudo ln -s /usr/local/etc/raddb /usr/local/freeradius/etc/raddb sudo service radiusd restart Which is what I use to deploy GIT versions on production servers. It allows you to quickly fail back to a previous version if there are issues. This negates problems caused by installing over the top of a previous installation, which IMHO is always an extremely bad idea with any unpackaged software. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On Mon, Sep 09, 2013 at 03:18:06PM +0100, Arran Cudbard-Bell wrote: This negates problems caused by installing over the top of a previous installation, which IMHO is always an extremely bad idea with any unpackaged software. ...or even packaged software. FWIW, I put all freeradius config in /srv/radius, and then /etc/default/freeradius sets the daemon option '-d /srv/radius'. Even with Debian's pretty good system of not overwriting config files, I want to a) guarantee that my config never gets touched, and b) not have to be asked about changed config files at package upgrade time. Moving my config to a different location solves that entirely. It also means that I have a reference raddb in the standard location, so I can refer to it. My config is mostly stripped of comments for brevity (and my sanity). The reference config has them all in. I can't personally see why anyone would 'make install' on top of a working config on a server and trust the install to not touch any local changes. Even if I'm 99.99% sure it won't, I'd be too worried to do it when there's an easy alternative. But I guess some are just more adventurous than me! :) Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch withtesting Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory For academics sake here is the radius -X output. (definitely not my granddads radius ) [root@ldap1 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012 at 10:55:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy
Re: problem with initial setup
On 9 Sep 2013, at 17:18, Swenson, Chris cswen...@curry.edu wrote: Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. That'd be version 1.x.x? Which doesn't support Cleartext-Password. I think you can use User-Password as a check item there, but I honestly can't remember. You might want to consider upgrading. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
Received -bash: /usr/bin/radtest: No such file or directory It means radtest command was not found. On Mon, Sep 9, 2013 at 10:22 PM, Swenson, Chris cswen...@curry.edu wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch withtesting Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory For academics sake here is the radius -X output. (definitely not my granddads radius ) [root@ldap1 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012 at 10:55:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes
RE: problem with initial setup
That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup solved
NEVER On Sep 9, 2013, at 10:34 AM, Swenson, Chris cswen...@curry.edu wrote: I guess I need to recycle my 2002 Shell O'Reilly book. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
On 09/09/2013 12:18 PM, Swenson, Chris wrote: Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. On RHEL5 make sure you install the freeradius2 set of packages, not the freeradius packages. RHEL5 initially shipped with freeradius 1.x, but you want to be running 2.x. In RHEL we can't remove a previously shipped major version of a package so we had to add freeradius2 in order to make version 2.x available. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with initial setup
Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. When I enter the suggested as the first line in the users file testing Cleartext-Password := password And then rerun the radius -X it bombs and does not start. See output below. Without this running I cannot do the radtest. Thanks for any guidance. [root@ldap1 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[91]: Parse error (check) for entry testing: Unknown attribute Cleartext-Password Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module files. radiusd.conf[1773] Failed to parse authorize section. [root@ldap1 raddb]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup solved
I guess I need to recycle my 2002 Shell O'Reilly book. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Swenson, Chris Sent: Monday, September 09, 2013 1:27 PM To: FreeRadius users mailing list Subject: RE: problem with initial setup That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
Swenson, Chris wrote: Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. You're running a VERY old version. You may need the freeradius2 package, instead of freeradius Check radiusd -v. If it's not 2.x, then remove the RPM, and install a version 2 RPM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: my Radius goal radius and openldap.
No, they are encrypted in the ldap database in md5 hash. I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Thanks. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 09, 2013 6:54 PM To: FreeRadius users mailing list Subject: Re: my Radius goal radius and openldap. On 9 Sep 2013, at 23:00, Swenson, Chris cswen...@curry.edu wrote: I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. You have plaintext passwords then? I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
On 9 Sep 2013, at 23:00, Swenson, Chris cswen...@curry.edu wrote: I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. You have plaintext passwords then? I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don’t feel like I am completely reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
my Radius goal radius and openldap.
I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Thanks Chris s. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup solved
Hi, NEVER agreed. still a useful reference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
On 09/09/2013 08:46 PM, Swenson, Chris wrote: Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Unless I'm missing something here this is a very simple configuration. You've got passwords stored in LDAP using an MD5 hash. You receive a username/password pair from your web app. The password will be cleartext. This is just straight forward PAP. Lookup the username in ldap in the authorize section, set the password in the request to the md5 hash you looked up and let pap handle it. - Reply message - From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html